CVE-2026-42485
Deferred Deferred - Pending Action
Stack Buffer Overflow in AGL agl-service-can-low-level

Publication date: 2026-05-01

Last updated on: 2026-05-05

Assigner: MITRE

Description
AGL agl-service-can-low-level contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42485
EUVD
EUVD-2026-26698
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agl agl-service-can-low-level *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for unusually large or malformed UDS (Unified Diagnostic Services) diagnostic request payloads sent over the CAN service API, as the overflow occurs when payloads exceed the expected size.

Specifically, detection involves capturing and analyzing CAN network traffic for diagnostic requests where the payload length exceeds the 6-byte buffer limit, potentially up to 7 bytes or more.

  • Use a CAN bus monitoring tool (e.g., can-utils) to capture traffic: `candump can0`
  • Filter diagnostic request messages and inspect payload lengths for values greater than 6 bytes.
  • Example command to capture and filter CAN frames with payload length > 6 bytes (assuming candump output parsing): `candump can0 | grep -E 'length=[7-9]'`

Additionally, system logs or application logs related to agl-service-can-low-level may show crashes or anomalies indicating exploitation attempts.

Executive Summary

This vulnerability is a stack buffer overflow in the uds-c library used by the agl-service-can-low-level component. Specifically, the send_diagnostic_request function allocates a 6-byte buffer on the stack but copies up to 7 bytes into it without proper bounds checking. This causes 1 to 4 bytes of overflow on the stack.

Because the payload_length field is not checked against the buffer size, an attacker can overflow the stack buffer. On 32-bit ARM automotive ECUs that lack stack canaries, this overflow can overwrite the return address, potentially allowing remote code execution (RCE).

Impact Analysis

This vulnerability can lead to remote code execution on affected 32-bit ARM automotive ECUs without stack canaries. An attacker could exploit the stack buffer overflow to overwrite the return address and execute arbitrary code.

Such an exploit could compromise the security and integrity of the automotive system, potentially allowing unauthorized control or disruption of vehicle functions.

Mitigation Strategies

Immediate mitigation steps include restricting access to the CAN service API to trusted sources only, to prevent unauthorized or malicious diagnostic requests.

Implement network-level filtering to block diagnostic requests with payloads exceeding the safe length (6 bytes) before they reach the vulnerable service.

If possible, update or patch the agl-service-can-low-level component or the uds-c library to a version that includes bounds checking on the payload length in the send_diagnostic_request function.

As a temporary workaround, enable any available security features such as stack canaries or address space layout randomization (ASLR) on the affected systems to reduce the risk of successful exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42485. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart